Reflected XSS Vulnerability in Sling CMS by Apache
CVE-2020-1949

6.1MEDIUM

Key Information:

Vendor: Apache
Status: Apache Sling
Vendor: CVE Published:; 1 April 2020

Summary

The Sling CMS prior to version 0.16.0 harbors a reflected XSS vulnerability due to improper escaping of the Sling Selector within URLs, particularly when generating navigational elements for the administrative consoles. This oversight could allow attackers to execute arbitrary scripts in the context of users accessing the affected administrative interfaces, potentially compromising sensitive user data and the integrity of the environment.

Affected Version(s)

Apache Sling Apache Sling CMS 0.14.0 and previous releases

References

https://s.apache.org/CVE-2020-1949

x_refsource_MISC

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Apr 1, 2020
Vulnerability Reserved
Dec 2, 2019